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This paper presents an investigation of the notion of reaction time in some synchronous systems. A 
state-based description of such systems is given, and the reaction time of such systems under some 
classic composition primitives is studied. Reaction time is shown to be non-compositional in general. 
Possible solutions are proposed, and applications to verification are discussed. This framework is 
illustrated by some examples issued from studies on real-time embedded systems. 



1 Introduction 

A primary concern when developing hard real-time embedded systems is to ensure the timeliness of 
computations. This kind of requirement is often expressed as a reaction time constraint, i.e. an upper 
bound on the time the system may take to process an input and produce the related output. When systems 
are composed of multiple communicating agents, this task may be difficult. In this paper, we propose a 
formalization of reaction time for a certain class of synchronous systems. We show that reaction time is a 
fine-grained notion of functional dependency, and we show that it is non-compositional. In order to solve 
this problem, we propose an approximate but compositional method to reason on functional dependency 
and reaction time. 

Related work. The specification and verification of temporal properties traditionally relies on temporal 
logic [6] or related formalisms 0. With these formalisms, the system designer gives a specification of 
some causality or quantitative property which is then verified by model-checking. 

These methods are also applicable to the restricted class of synchronous systems 00. The OASIS 
[5] system, which motivated this study, belongs to this class. A traditional compositional verification of 
synchronous systems using Moore machines [10] was given in [4J. Our formal framework to reason on 
reaction time was heavily inspired by the literature on information flow analysis [3] and on the category- 
theoretic view of process algebras [TJ. It is also similar to testing methods ifTTI . 



2 Preliminaries 

2.1 Case study: proving the reactivity of a simple system 

Let S be a black box with two buttons A and B as inputs and the elements of any non-singleton set as 
outputs. In this example, we will assume that S is deterministic. Our goal is to decide whether pressing 
A has any observable effect on the system. A naive solution is to verify whether the new observable state 
is different from the previous one. 

Input S — > Sa 

Observable state o o' 
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If o £ o', we may consider that the system seems to have answered to the pressing of A. There are two 
counter-arguments to this conclusion. 

1. 5 may have decided in advance to output o'\ 

2. there is no reason for an observable consequence to occur immediately after pressing the button. 

In order to obtain a correct solution, the main point to take into account is that the observable state is not 
only function of the inputs but also of the internal state. From now on, we will assume that we have two 
identical copies of S, and we will proceed to the experiment simultaneously with the button A and the 
button B. 



Input 

Observable state 



S - S A 
o o' 



S -> S B 
o o" 



If o' £ o" , we deduce that the system has distinguished between pressing the button A and the button B. 
This experiment is thus strictly more informative than the previous one. In the other case, knowing that 
o' = o" is not enough for us to extract any information on the internal behavior of the system. Indeed, 
the second counter-argument advances that the observable reaction can occur after an arbitrary number 
of transitions. A solution is to iterate the experiment on Sa and Sb until observing a difference, but 
the observable state then becomes possibly correlated to the other choices A or B performed during the 
experiment. The choices must thus be identical for Sa and Sb- 

We can informally define reactivity by stating that if there exists a finite sequence of experiments (i.e. 
a word on {A,B}) allowing to distinguish the systems Sa and Sb, then S is reactive. In formal terms, this 
is equivalent to stating that Sa and Sb must be non-bisimilar. The reaction time is the maximum length 
of the minimal experiment allowing to prove non-bisimilarity. 



2.2 Notations and definitions 

Some definitions will be useful to our work. Let £ be a set. The set of finite words on £ is noted £*, and 
the set of infinite words is noted L m = N -> ft). The set of finite and infinite output words is £°° = L* (JL m . 
The length of a finite word w will be noted \w\. For any word w we will note prefix(w, len) the prefix of 
w of length len, and we also note w[i] the i-th symbol of w, where i e [0; \w\ - 1]. 

The singleton set is 1 = {*} (up to isomorphism), and the disjoint union of two sets A and B is noted 
A+B. The set of natural integers strictly inferior to x is noted N <x . 



3 A formal model of synchronous systems 

We aim at giving a formal model of synchronous systems sufficiently expressive to encode languages 
such as Lustre [8] and PsyC [5]. Our formalism is an adaptation of Moore machines JTOll . 



3.1 The synchronous abstraction 

We will restrict ourselves to the set of systems which respect the synchronous mode of computation. In 
this model, the computation is divided in successive rounds. Each transition from a round to the next 
denotes the tick of a global logical clock. The observable state of a system is constant on each round, and 
changes only at the boundary between rounds. At each new round, the new internal state is a function of 
the current input and internal state (equivalently, the internal state is a function of the initial internal state 
and all previous inputs). The observable state is only function of the internal state. The following timeline 
shows an example of a deterministic synchronous computation involving three successive rounds. 
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In this example, the output outo is a function of the initial internal state only; the output outi is a function 
of the initial internal state and in\\ and the output ow?2 is a function of the initial internal state, in\ and 
ina. Thus, inputs have no immediate effect on the observable state. 

3.2 State-based description of synchronous systems 

We define our synchronous systems as a labeled transition system (LTS) inspired by Moore machines. 
We recall here some definitions which will be useful in the following developments. 
Definition 1 (Synchronous system). Let In be a set of inputs and Out be a set of inputs. A synchronous 
system S = (In, Out, Q,E, out, qi) is the data of: 

• a set of states Q, 

• a transition relation E ^QxInxQ, 

• a labeling function associating states to outputs out : Q -> Out, 

• and an initial state q\ e Q. 

The sets In and Out are the signature ofS. We will note p-^+qas a shorthand for (p,a,q) e E. Moreover, 
we constrain our systems to be finitely branching and to be complete, i.e. V/? e <2, Va e In,3p 

The computational meaning of a LTS is expressed using the notion of run. It allows to define the 
output language associated to an input word. 

Definition 2 (Run of a synchronous system, output language). Let S = (In, Out ,Q,E , out, qj) be a syn- 
chronous system. We define the notions of finite run and the associated output language. 

Finite runs. Let w e In* be a finite input word. The set of finite, maximal runs ofS on w starting from 
state qo e Q is Runs^(qo,w) £ gx (In *Q)* and is defined as: 

Runs* s (q ,w) = {qo-w[0].qi...w[\w\-l].q\ w \_i | Vie [0; \w\ - l],q t >q i+i }. 

Output language. The output language ofS associated to w and qo is C* s (qo,w) £ Out* and is defined 
as follows: 

£s(*7o,w) = {out(go)-out(#i)...out(2„-i) | qo-ao.qi.ai ... e Runs g(qo,w)}. 

The classical equivalence relation on states of labeled transition systems is bisimilarity. Its definition 
is slightly adapted to our notion of synchronous system. 

Definition 3 (Bisimilarity, non-bisimilarity). Let S - (In, Out ,Q,E , out, qi) be a synchronous system. A 
relation R^QxQ is said to be a (strong) bisimulation if and only if the following condition holds: 

V(>,?)efi J out(p)=out(?) A (\fp^p',3q^q',(p',q')eR) A (V? ^ q' ,3p ^ p' ,(p' ,q') e R) . 

If there exists such a relation R s.t. (p,q) e R, then p and q are said to be bisimilar, which is noted p ~ q. 
Moreover, bisimilarity is an equivalence relation. Conversely, the negation of bisimilarity Qx Q is 
inductively defined by the rules below. In these rules, p,q €Q and a tin are universally quantified. 

IND 

base dp—>p,vq—>q,p+q \/dq—>q,vp^-p,p+q 

out(^) + out(g) -> p + q P + q 

'in practice, these conditions constrain the input and output data sets to be finite. 
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(c) Reactive non-deterministic system 



Figure 1: Some reactive and non-reactive systems 

In this paper, except when stated otherwise, all state spaces shall be assumed to be quotiented by 
bisimulation equivalence. 



4 Reaction time of a state in a synchronous system 



This section formalizes the ideas exposed in the case study, in Sec 2.1 and extends them to non- 
deterministic systems. The case study proposes to model reaction as a functional dependency between 
a set of inputs and the future behavior of the system. In our formal model, these future behaviors are 
represented as the successor states of the considered state. 

In this setting, we will first define a notion of reactivity inspired by functional dependency, and then 
define reaction time as the necessary time to prove that two successor states are not bisimilar. 



4.1 Reactivity 

Let In - {A,B} and Out be a non-singleton set. Let S = (In, Out, Q,out,E ,qi) be a synchronous system, 
and let's assume that state q e Q is as depicted in Fig. 1 1(a) We observe that there are two inputs A 
and B leading to non-bisimilar states q\ and q2- In this case, state q is thus reactive. In the case of 
non-deterministic systems, we must generalize this idea: if there exists an asymmetry in the possible 



transitions of a system, then it is reactive. Let's assume that state q is as depicted in Fig. 1(b) There, q is 
not reactive because there is a symmetry between the transitions possible with A and the transitions pos- 



sible with B. This symmetry is broken in Fig. 1(b) Non-determinism highlights the fact that reactivity 
is a kind of non-bisimilarity. 

Definition 4 (Reactivity of a state in a synchronous system, separating pair). Let In, Out be two sets, 
S = (In, Out, Q, out, E, qi) be a synchronous system and q €Q be a state. We will denote reactive(^) the 
fact that q is reactive. The predicate reactive(g) is defined as follows: 

reactive(g) = 3«i ,02 e In,a\ f a2 a ( 3q qi, \/q % qz,qi + ■ 

The pair of inputs (a\,a2) is a separating pair of q. It is deterministic iff^lq'-^q\,^q^-q2,q\ + qi- The 
set of separating pairs of q is noted SepPairs(<7), and the deterministic subset is DSepPairs(g). 



4.2 Observable effects 



Observable effects stem from a fine-grained study of reactivity. In this section, we show that an observ- 
able effect characterizes a temporally localized difference between the behaviors of non-bisimilar states. 
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We show that an input data has observable effects on the system on a not necessarily finite interval. 

Characterizing the difference between two states. Characterizing difference between states can be 
done by studying the negation of bisimulation. 

Definition 5 (Separators, strongly separable states). Let S = (In, Out, Q,out,E ,qi) be a synchronous sys- 
tem and p\,q\ e £2 s.t. p\ + q\. A constructive proof of p\ + q\ is the data of (at least) two separating runs 
r\ e Runs* s (p\,w) and r^ e Runs* s (q\,w): 

r\ = p\.a\.p2-a2 ■ ..a n .p n and r-i = qx.a2-q2.a2 ■ ..a n .q n . 

These runs are labelled on input by a finite word w = a\.a%...a n called separator, and generate output 
words o\ e Out* = out(/?i). out(/?2)... out(p n ) and 02 e Out* = out(ai). out(g2)--- out(q n ). More 
generally, any separator w induces a nonempty set 0(p\,q\,w) of pairs of different output words (01,02) 
generated by separating runs s.t. o\ e L* s (p\,w),02 £ C* s (q\,w). 

A separator w is deterministic when all its runs are separating, i.e. all runs stems from a proof of 
p\ + q\. The set of separators of two states p,q is noted S(p,q), and the set of deterministic separators 
is noted DS(p,q). Note that DS(p,q) £ S(p,q). 

Two states p,q are said to be strongly separable, noted p )( q, iff all infinite inputs words are prefixed 
with a deterministic separator. 

Fig. [2] shows two separable LTS. The fact that they are non-bisimilar is proved by the existence of 
two separators (although one would suffice) of length two and three, as emphasized by the dotted paths. 

Once separability of two states defined, we can define what is an observable effect and when it occurs. 
This is based on observing the differences in the output word pairs generated by a separator. 

Definition 6 (Observable effect). Let p,q€Qbe two states. Let w e In* be an input word. The observable 
effects are generated by all the prefixes ofw wich are separators. 

diff M : U w eln* N <H -»• 1 + (Out x Out) 

diffp , q (w,n) = (x\,X2) ++ prefix(w,7i+ 1) e S(p,q) a (01,02) e 0(p,q,pref\x(w,n + 1)) a 

x\ = oi[n] ax 2 = 02M 

diff p^ q (w,n) returns * e 1 if there is no difference at index n or a pair (o\ \n\,02[n\) s.t. o\ [n] ^ 02[n] at 
the same index. These differences are the observable effects induced by w. 

The existence of a separator ensures that there may be an observable effect. Fig. |3]show two systems 
(whose state space is quotiented by bisimulation equivalence) with an unknown output data X in Fig. 
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Figure 3: Partial separability 



3(b) State names are omitted and the nodes only contain the output data. If X = 0, the initial states 
are separable with the words of the language B*A. These are deterministic separators: reading them on 
input ensures an observable effect. We observe that the input words of the language B°° do not yield 
an observable effect. On the other hand, if X + 0, all infinite words are prefixed by a (deterministic) 
separator. An eventual observable reaction is guaranteed. 



4.3 Reaction time 

Since we work with logical time, the occurrence times of observable effects are their indices in the 
associated output traces. We may define the reaction time of a state as the maximum of the occurrence 
time of the first observable effect. This yields two possible views of reaction time: an optimistic one (an 
observable effect may arise . . . ) and a pessimistic one (an observable effect must arise). Moreover, the 
reaction time of a state can be valid for all contexts or just for some. Our application domain requires that 
we choose a pessimistic approach. Compositionality in turn requires that we quantify over all possible 
contexts when defining reaction time, as will be shown later. 

Definition 7 (Deterministic reaction time). The (deterministic) reaction time of a state w.r.t. an input is 
the maximum number of transitions that must be performed to see the first observable effect arise, for 
any input. Let q e <2 be a state s.t. reactive(g) holds. We note by detreactime(g) = t the fact that q has a 
reaction time oft transitions, where: 

detreactime(g) = max{ n | (01,02) e DSepPairs(g), q -* q\ , q -> q2, q\ X qi, 

w€ln w , d\ff quqi (w,n) + * a Vra' < n,6if((w,n') = *} 



5 Observable effects under composition 

In the previous section, we have defined a notion of observable effects for synchronous systems. In 
this section, we will investigate the way observable effects evolve when synchronous systems are com- 
posed. To this end, we will define a small process algebra, inspired by the category-theoretical work of 
Abramsky on concurrency (H. 
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PAR-NEXT 

in f , >"g , 

qs — *if qg—*q g 

(inf.irig) 

qf II ig— — *if II q g 



SEQ-OUTPUT 

out gof (q f ,q g ) = out g (q g ) 

(a) Sequential composition 



PAR-OUTPUT 



out f\\ g (qf II q g ) = (out/(?/),out^(^)> 

(b) Parallel composition 



Figure 4: Definition of the composition operations 



5.1 Data types 

In order to model multiple input-output ports, we will force a monoidal structure on the data processed by 
our synchronous systems. Let Basic = {int;bool; 1; . . .} be a set of basic datatypes. The set of datatypes 
is the monoid (35, x) generated by Basic and closed by cartesian product. 



5.2 Composition operators 

Our composition operators are sequential composition and parallel composition. The transition rela- 
tions of the compound systems are defined in a classic way, using a small-step semantics given by SOS 
inference rules (c.f. Fig. [4]). 



Sequential composition. Let A,B,C be three sets. Let Sf = (A, B, Qf, Ef, out/, qij) and S g = (B, C, 
Q g , E g , outg, qi g ) be two systems. The sequential composition S g o Sf proceeds by redirecting the output 
of Sf to the input of S g . The compound system is S g oSf = (A,C,Qf x Qg,E go f,out go f, (qij,qi, g )), where 
Eg f and outgo/ are defined in Fig. [4j 



Parallel composition. Let A,B,C,D be four sets. Let 5/ = (A, B, Qf, Ef, out/, qij) and S g = (C, 
D, Qg, E g , outg, qi tg ) be two systems. The parallel composition proceeds by pairing the respective 
transitions of 5/ and S g in a synchronous way. The compound system is 5/ || S g = (AxC,B x D,Qf x 
<2g,£/Hg,out/||g, (qi,f,qi, g )) where Ef\\ g and out/|| g are also defined in Fig. [4j 



Other operations. An other important operation is the feedback. We omit it for space reasons, but 
it must be noted that it exhibits the same behavior as sequential composition. The other operations 
necessary to make our definitions into an usable process algebra are structural ones, like data duplication, 
erasure, etc. These important details are omitted from the following study. 
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Machine 5/ 



Machine So 



Figure 5: Example of disappearing separator 



5.3 Observable effects w.r.t. sequential composition 

In this section, we study the behavior of the observable effects of systems when they are composed. 
We restrict our attention to sequential composition since it is easy to show that parallel composition 
doesn't alter the behavior of the sub-components. We show that under sequential composition, whenever 
reactivity still holds, the observable effects can vary arbitrarily. Our examples will be given on Moore 
machines whose state space is not quotiented by bisimulation equivalence. 



The proof that reactivity can be lost follows 
the same argument that shows that the com- 
position of two non-constant total functions 
can be constant. The figure to the right shows 
the composition of two reactive Moore ma- 
chines Sf and S g whose composition is not 
reactive. In this example, this stems from the 
fact that the observable effect (0, 1) of the in- 
put received in state po of the machine Sf is 
not "taken into account" by the machine S g , 
i.e. (0, 1) is not a separating pair of state q\. 




Machine 



St 



Machine S„ 



Machine S g oS/ 



The fact that an observable effect of Sf is a separating pair of S g is not enough to guarantee an ob- 
servable effect on output. Sequential composition restricts the input language of the system in receiving 
position (here, S g ). This means that separators can appear and disappear arbitrarily. The two Moore 
machines in Fig. |5]are modifications of the earlier ones. The states po and q\ are still reactive, but when 
composed the output symbols on p$ and p\ restricts the set of inputs of the states qi and to the word 
0. Thus, q2 and q^ are no more separable and the result is the constant machine shown earlier. 

The conclusion of this study confirms the intuition: there is no general way of guaranteeing functional 
dependencies. These results extend to reaction time, which is not conserved: the receiving machine may 
ignore the first observable effect and take into account ulterior ones. 

In verification terms, this means that in order to verify that the composition of two systems is reactive, 
a full search of the state space for separators must be undertaken. In the next section, an approximate but 
compositional method to simplify this process is proposed. 
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6 Under-approximating observable effects 

This section proposes a partial solution to some problems encountered earlier, namely: 

1 . the fact that non-deterministic separators do not guarantee an observable effect, 

2. the non-compositionality of reactivity and observable effects. 

We proceed by reducing our focus to the cases where reactivity, which is a branching-time property 
of states, can be reduced to a linear-time one. We show how to compute the separators and separating 
pairs which are preserved when "merging" all branches of the computation tree. 

Let us assume the existence of two sets of data In and Out. Let q be a state such that reactive(g) 



holds, and let (a\ ,02) € SepPairs(.s') be a separating pair of inputs. In Sec. 4.3 we observed that in order 



to ensure the occurrence of an observable effect and the existence of a reaction time, q must be such that 
all inputs are deterministic separators for all q\ and qi s.t. q qi and q q2- If this condition is met, 
we can compute deterministic observable effects, i.e. effects which exists for all separators. Similarly, 
we can define deterministic separating pairs. 

First, we define some operations in order to merge sequences of observable effects. We define the 
operation © : (1 + Out x Out) x (1 + Out x Out) -*■ (1 + Out x Out) as: 

X © X — X 

x © y - * ifxty. 

The extension of this operation to sequences of symbols on ( 1 + Out x Out) is defined straightforwardly. 
If d\ , d2 e ( 1 + Out x Out ) m are two infinite sequences, their merging is also noted d\ © d% . 

Definition 8 (Deterministic observable effects, observational order). Let q be a state s.t. reactive(g) 
holds. The sequence of deterministic observable effects of q is noted DOE(g) and is defined as follows. : 

DOE(g) = ® {diff 9l , 92 (w) I q^qi,q^q 2 ,w€ln 03 }. 

(cii ,<i2) e SepPairs(g) 

It is possible to define a relation < £ ( 1 + Out x Out) 03 x ( 1 + Out x Out) m , where: 
wi <W2 <-> 3!i,(Vj'# i,wi[j] =W2[j])A(wi[i] = *Aw 2 [i] * *). 

The reflexive-transitive closure of < is the observational order and is noted 4. The set ObsOrder(g) of 
infinite strings partially ordered by 4 which has DOE(g) as greatest element and * a as least element is 
called by extension the observational order on q. 

We must also define linear time-proof separating pairs, called strongly separating pairs. Let's con- 
sider the systems in Fig. [6j in which only the output data is displayed and state names are omitted. The 
systems 1 and 2 are symmetrical and have both (A,B) as a separating pair for their initial state. However, 
(A,B) is not a separating pair for the union of the two systems. We must define a notion of separating 
pair for two systems which resists their union. 

Definition 9 (Strongly separating pairs). Let q\,q2 be two states s.t. reactive(<7i 2) holds. The pair 
(01,^2) e SepPairs(gi.2) is a strongly separating pair of the union of q\ and q2 if and only if: 
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(a) System 1 (b) System 2 (c) Union of systems 1 and 2 

Figure 6: Union of transition systems 




The set of strongly separating pairs of q\ andq2 is noted SSP(qi,q2). Note that SepPairs(g) - SSP(q,q). 
The sequence of strong separating pairs of q\ and q2 is noted SSPseq(<7i,g 2 ) and is defined as follows: 

SSPseq(tfi,# 2 ) = SSP(gi,g 2 )-(n{ SSPsec l('7 / i'<72) | (ai,a 2 ) e SepPairs(#),#i ^tfi,tf 2 ^2 2 }), 

where f] is the extension of set intersection to sequences of sets. Now, let q be s.t. reactive(g) holds. The 
sequence of strongly separating pairs of q is: 



SSPseq(g) = SepPairs(^r).f > |{SSPseq(^i,^ 2 ) | (ai,a 2 ) e SepPairs(g),g q\,q^> ^ 2 }. 

Deterministic observable effects are in fact an abstraction of the original system. The concretization 
operation is the function associating to a sequence of deterministic observable effects the set of all sys- 
tems which have at least these deterministic observable effects (w.r.t. 4). Using this abstraction, checking 
the compositionality of sequential composition is straightforward. 

Lemma 1 (Sequential composition of deterministic observable effects ensures reactivity). Let Sf = (A, B, 
Qf, Ef, out/, qij) andSg = (B, C, Q g , E g , out g , qi g ) be two systems. Letqf e Qf andq g e Q g be two states 
such that (q/,q g ) is in the state space of the sequential composition S g oSf. We have reactive(^y,^ g ) if: 

3d e ObsOrder(gy ), 3i,d[i] e SSPseq(^ g )[/+ 1]. 

Proof. Let i e N be such that d[i] e SSPseq(^)[/ + 1]. Having d[i] = (xi,x 2 ) implies that reactive(gy) 



holds. Hence, there exists a\ * a 2 s.t. 3qy ^> qp Vqf q Z f,q l f + qf - By hypothesis, we know that all input 
words are separators of all such (q l f,qf). By definition, d[i] is an observable effect of all these separators. 

iqj 



a l „2 A 



i r. prefix(w,i) r. 1 

r f and q f > r f s.t. out(ri-) = 



I prefix(vv,i) + . 

Hence, for all input words w there will exist two runs > rj 

9 \ 1 1 prefix(w,;) + 

x\ and out(ry •) =x%. By definition of the sequential composition, this induces the runs {qpq g ) * 

(r},r g ) (with q g — ^> q l g ). Since (xi,x 2 ) e SSP(r^' 2 ) (by definition of 

□ 



(r},rj) and (q 2 f ,q\) 
SSPseq), {q),q\) + (q),q\). 



The compositionality of this approach stems from the fact that for any systems S/,S g and respective 
states qf and q g , an element of ObsOrder(q f,q g ) can be computed using other elements from ObsOrder 
and SSP. 

Definition 10 (Compositionality of deterministic observable effects). Let qf e Qf,q g e Q g be two states. 
Let doef e ObsOrder(gj) and dsp g e SSP(^ g ). If there exists a t s.t. doef[t] e dsp g [t + 1] then there 
exists an element doe go f e ObsOrder (qf,q g ) s.t.: 

doe go f = *.*'.®{doe g > \ (q f ,q g )^ t+1 (q'f,q' g ), doe g > e ObsOrder(^)}. 
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be{tt,«} neN Ti-V:var(T) rVV:var(T) rVE:exp(T) 

skip : comm r,x : a h x : a T h b : exp(bool) r h : exp(int) rV!V:exp(r) r h V := E : comm 

r i- Aq : exp(bool) Fi-Aq-.g ThA^ct rhAo:comm Ft-Ai-.o Y h Aq : exp(bool) rVApcomm 
Th if Ao thenAi elseA2 : comm ri-Ao;Ai :comm r h while Ao do A i done : comm 

r I- Aq : ftp Out ... rH-A| „,|_, :^| „,|_! Out 

rHtick(A ...A| O „,|_ l ) :comm r i- get; : ft; /ra ieN <|/n| 

Figure 7: Definition of well-typed programs. 

Jfe's element is computed by merging the deterministic observable effects of states ofq g reachable int+l 
transitions. The initial * stems from the delay induced by communication in the synchronous model. 

A similar property holds for separating pairs. We only describe informally how to proceed, since the 
general idea is similar to the case of deterministic observable effects. A strongly separating pair of qf 
exists in S g oSf if the states qj,q 2 f reachable by this pair have a common observable effect (computable 
using ©) which corresponds to a strongly separating pair of q g . 

7 Example 

As explained in the introduction, our work focuses on a real-time system called OASIS, which provides 
a real-time kernel and a multi-agent synchronous-like language called PsyC (an extension of C with 
synchronous primitives). We have given a formal semantics of a simplification of PsyC called Psy- 
ALGOL. We will use this semantics to highlight a common use case of our framework. 

7.1 Syntax and semantics of a simple synchronous language. 

In order to give the semantics of a program, we have to define how its LTS is generated. We briefly 
survey a subset of the syntax of the language. The connection between the semantics and the resulting 
LTS should be straightforward, we will thus omit the derivations. 

Syntax. 

The syntax definition is given in an inductive way using inference rules on judgments of the shape 
r i- M . a, meaning "in the context T, the program M has type a". A context is a list of the shape 
x\ ■ Gi, . . . ,x n ■ Ok- It associates variables Xj to their types a,-. For the sake of simplicity, we assume that 
all variables are declared beforehand and initialized to their default value. We ignore procedures and we 
keep the other syntactical forms as simple as possible. The types a and default values are defined as 
follows: 

T ::= int | bool default\ ai = 

a ■■- comm | var(r) | exp(r) defaultb 00 \ = ff 

Assuming that the programs have input and output types (In, Out), the set Prog of correctly typed 
programs is defined in Fig. [7] We omit the arithmetical operators. 
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Semantics. 

We will define the operational semantics for our language as a small-step relation. An operational se- 
mantics is usually a kind of relation associating a program in its initial configuration to its final outcome 
(be it a final value or divergence). 

Our aim is slightly different: we want to view the evaluation of a program as a synchronous system. 
This means that instead of producing a final value or diverging, we want to quantify over all possible 
inputs at each logical step, and produce a LTS. In order to simplify matters, our LTS will be given in 
unfolded form, as an infinitely deep tree. Each step of the evaluation will grow this tree downward, and 
the limit of this process will be the semantics of the program. Let's proceed to some definitions. 

Definition 11. The set of configurations is Config = Store(V) xlnxProg, where V is the set of variables 
of the program and Store(V) is a mapping from variables to constants. 

Definition 12. The sets Trees of finite (resp. infinite) partial evaluation trees are generated by the 
inductive (resp. co-inductive) interpretation of the following rules. 

Leaf Node 

conf € Config out e Out Vin,tri n e Trees 
conf e Trees (out, {(in,trj n ) \ in e In}) 

Let T be a partial evaluation tree with leaves (stj,inj,progi). Given a syntactical mapping map : 
Prog -> Prog, we note map | T the extension o/map to the leaves ofT such that (map | T) has leaves 
(sti,ini,ir\ap(progi)). 

The one-step reduction relation -> £ FiniteTrees x FiniteTrees is defined in terms of a relation 
>->• c Config x FiniteTrees defined by the rules in Fig. [8] 

We define -> as the application of » to the leaves of a tree. From there, we can define the standard 
reflexive-transitive closure of -»■ and its co-inductive counterpart as in |9l . 

7.2 Example of synchronous programs. 

We will study the behavior of two programs, whose texts and associated (deterministic) LTS are displayed 
in Fig. |9j The first program captures an input data at the beginning of the outer loop and releases it on 
output when the inner loop finishes executing itself. The second program proceeds similarly, except that 
the inner loop termination is ensured by the usage of a decreasing counter y initialized to a constant N. 
In the LTS of program 2, this corresponds to the dashed transition between q\ and q2, which should be 
understood as N-2 omitted states with decreasing values of y. 

We want to check whether the data inputted at the tick( !x); lines highlighted in both programs yield 
a finite reaction time. These instructions corresponds to states po,p2 in LTS 1, and qo,qi in LTS 2. Thus, 
in order for these instructions to be "reactive", the corresponding states must have a finite reaction time. 
In order to study this, we will compute their deterministic observable effects. 

Program 1. The set of separating pairs of po and p2 is SepPairs(/?o,2) = {(tt ,ff )}. This fact is proved 

tt ff tt ff 

by the transitions po — ► p\, po — > po, and p2 — ► pi, pz — ► Po where po + p\. The only separator of 

ff ff 

(po,pi) is the one-symbol word w = ff . This fact is proved by the transitions po — * po and p\ — > p2, 
where out(/?o) t out(/?2). The separator w is deterministic, since the underlying automaton is itself de- 
terministic. This separator induces a pair of output words (01,02) = (ff .ff ,ff .tt ) and thus an observable 
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Seq-context 

Const Var (st,in,A )>*T 

(st,in,c) >* (st,in,c) ceV (st,in,x) ^> (st,in,x) xedom(st) (st,in,Ao;A\) (AAg-Ag;Ai) J, T 

Deref-context 

SEQ-SKIP (st,in,A)>*T DEREF-VAR 



(if,in,skip;Ai) >-> (st,in,A\) (st,in, !A) >-> (XA -!A ) J. T (st,in, <x) >-> (st, in, st (x)) 

Assign-context 

(rt,in,A)«-r Assign-const Get 



(st,in,x-=A) >-> (AA'-^:=A') J, 7" (.sf, in, x:= v) ^> (jf|jci-» v, in, skip) (.si, in, get,) >-> (st,in, ft; in) 

If-cond-context 

(rt,in,Ao) » T 



(st, in, if Ao thenAi elseA2) » (AA -if A' thenAi elseA2) I T 

If-true If-false 

(if, in, if tt thenAi elseA2) ^> (sf,in,Ai) (jf,in,if ff thenAi elseA2) (st,in,A2) 

While-unfold 

(st,in, while A do A\ done) >-> (st,in,itA then A i ; while A do Ai done else skip) 
TlCK-CONTEXT-I 



(st,in,Aj) «■ T 



(st, in, tick(c ... Ci- U Ai ...A^-i)) >* (AA< • ttck(c ... c,-_i,Aj . . .A| „,|_,)) j 7" 

Tick-constant 

(if, in, tick( co ■■•C|o Itf |_i))>* ((co ••■C|o„,|_i),{(inpHf,(.sf,inp«f,skip)) \inputeln}) 



Figure 8: One-step reduction relation 



effect diff po Pl (w, 1) = (ff ,tt ). However, this observable effect is not deterministic, since there exist an 
infinite input word tt ffl which generates no observable effect. Thus, the sequence of observable effects of 
po and p2 is * ffl and the reaction time for the highlighted line instruction does not exist (or, equivalently, 
is infinite). 



Program 2. The set of separating pairs of qo and qj, is still SepPairs(^o,3) = {(tt ,ff )}. The corre- 

tt ff tt ff 

sponding transitions are qo — * q\, qo — > qo and q^ — ► q\, q^ — ► qo with qo + q\. The (deterministic) 
separators of (qo,q\) are S(go>9i) = DS(go>9i) = {ff; tt.ff; tt.tt.ff; . . . ; tt^^.ff; tt^^.bool}. The table 
below lists the observable differences associated to each separator. 



ff ^ *.(ff,tt).* ffl 

tt.ff H> *.*.(ff ,tt).* ffl 

tt^.ff » * N - 1 .(B,tt).* m 
tt^.bool ^ * N .(B,U).* a 

When merging these observable differences, we obtain DOE(go,3) = * ffl - This means that even though 
the program 2 is reactive with a finite reaction time, it is still non-compositional within our simple 
framework. This is due to the fact that the observable effects occurrence time are non-uniform w.r.t. 
inputs, i.e. non-constant. 
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Program 1 
x := ff ; 
while tt do 

tick(bc);<= 

x := get; 

while get do 
tick(ff ) 

done; 
done 



Program 2 
x=ff ; 
y.= N; 
while tt do 

tick(!x);<= 
x := get; 

y := N; 

while get a \y 1 do 

y:=!y-l; 

tick(ff ) 
done; 
done 



(a) Programs 1 and 2 



input = tt 





input = tt 

X = tt 

output = ff 




X = ff 

output = ff 



input = tt 
x := get 



= ff 



input 

x := get 




1 



input = ff 



input = 

x := get 

(b) LTS of program 1 



X = tt 
output = tt 





input = ff 
x := get; 
y :=N 



(c) LTS of program 2 



Figure 9: LTS of programs 1 and 2 
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8 Conclusions and future works 

We have formalized in this paper the notions of functional dependency and reaction time for some syn- 
chronous systems. These notion are adapted to the formal investigation of reaction time constraints for 
the aforementioned synchronous systems. Functional dependencies were shown to be brittle and not 
suited to composition and verification. To answer this problem, we proposed an approximated method 
which gains compositionality by restricting its scope to deterministic separators. 

Our work opens some other research directions: a broader investigation of the notion of reaction 
time in a more general setting [7] could prove fruitful and lead to simpler, more abstract and general 
definitions. Our composition operators are quite restricted, as shown in the example, but making it 
more flexible should be possible by making deterministic effects a function of some arbitrary decidable 
specification. It seems also possible to apply our ideas to the refinement-based development of systems. 

We provide a formal framework allowing to reason on functional dependencies and reaction time 
which is amenable to automated verification. This effort should help the software designer and program- 
mer to deliver reliable, predictable and efficient systems. 
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